The complexity of the EU General Data Protection Regulation (“GDPR”) is often alleviated by the guidance of regulatory authorities who contribute their practical interpretation of the black letter of the law and provide welcome certainty. However, the latest draft guidelines issued by the Article 29 Working Party (“WP”) on automated decision-making has thrown up a particular curve ball which bears further investigation. It relates to whether Article 22(1) of the GDPR should be read as a right available to data subjects or as a straightforward prohibition for controllers.
Growing evidence suggests that existing Telephone Consumer Protection Act (“TCPA”) compliance challenges, and the current TCPA litigation landscape, are increasingly a threat to many U.S. companies – particularly small businesses that have fewer resources and could face financial ruin if targeted by a class action lawsuit. To help address this issue and support the U.S. economy, Congress and the Federal Communications Commission (“FCC”) should revise the current TCPA framework and facilitate reasonable, practical compliance approaches for companies attempting in good faith to communicate with customers.
On 6 October, the German Federal Cartel Office (“FCO”) launched its new series of papers on “Competition and Consumer Protection in the Digital Economy.” The first paper deals with “Big Data and Competition.” The same day, a “real-life example” of competition enforcement in Big Data became public. The EU Commission confirmed unannounced inspections in “a few Member States” concerning online access to bank customer’s account data by competing service providers.
Whether malicious or inadvertent, workforce actions cause or contribute to over half of cyber attacks experienced by organizations. Protecting against such “insider” cyber risks can be challenging, especially given the global web of privacy, communications secrecy, and employment laws that may be implicated by monitoring workforce use of IT resources.
Harriet Pearson and James Denvil, lawyers in the Hogan Lovells Privacy and Cybersecurity practice, have led the authorship of a white paper to help companies understand and navigate the workforce cyber risk landscape. An international team of privacy and cybersecurity lawyers from Hogan Lovells and select local counsel firms contributed to the analysis.
Last week, the U.S. District Court for the Northern District of California dismissed three of six claims the Federal Trade Commission (FTC) asserted against D-Link Systems (D-Link) related to its sale of routers and IP cameras and related software and services. The decision has implications for the pleading standards courts use to evaluate such claims at the motion to dismiss stage and for the FTC’s assertion of unfairness claims based on alleged likelihood of substantial consumer harm.
On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things, including:
The Information Commissioner’s Officer (ICO) ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust (the Trust) had failed to comply with the Data Protection Act 1998 (DPA) when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) may impact the use of patient data going forward.
On September 5, the European Court of Human Rights (ECHR) issued a ruling in the case of Bărbulescu v. Romania that affirms employees’ right to privacy in the use of communications tools in the workplace. Although the ruling is strict, it aligns with the positions taken by the national courts of certain European Union Member States (e.g., Germany) and guidance issued by data protection authorities. And the criteria that the ECHR adopts for assessing the lawfulness of monitoring generally aligns with the requirements under the General Data Protection Regulation (GDPR), which takes full effect on May 25, 2018. In this post, we summarize the ruling and identify key takeaways for companies that monitor workforce use of information systems and tools in the EU. Continue Reading
The European Court of Human Rights decided on June 22, 2017 that France’s DNA database for convicted criminals disproportionately interferes with individuals’ privacy rights because of its one-size-fits-all retention period and the failure to include a procedure to request erasure. Continue Reading
The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.